OAuth vulnerability in using submitted authorization token for authentication
- Authentication vulnerability
- OAuth authorization token being used for user authentication
- Reported: 7 May 2019
- Fix merged into master: 9 May 2019
- Fix in a release: 22 May 2019
Buildbot accepted user-submitted authorization token from OAuth and used it to authenticate user.
The vulnerability can lead to malicious attackers to authenticate as legitimate users of a Buildbot instance without knowledge of the victim's login credentials on certain scenarios.
If an attacker has an application authorized to access data of another user at the same Identity Provider as the used by the Buildbot instance, then he can acquire a token to access the data of that user, supply the token to the Buildbot instance and successfully login as the victim.
Buildbot 0.9.5 to 1.8.1, 2.0.0 to 2.3.0 (inclusive)
Buildbot 2.3.1 and 1.8.2
Mitigations and patches
Either of the following can be used to mitigate the vulnerability:
OAuth login can be disabled in Buildbot configuration.
Patch can be applied: https://github.com/buildbot/buildbot/pull/4763/files
Alternatively Buildbot can be upgraded to v2.3.1 or v1.8.2.
- Thanks to Phillip Kuhrt for finding and reporting this vulnerability responsibly.